SpipCP
Administration

Accounts & sign-in

Invites, two-factor authentication, recovery codes, password reset, and sessions.

Invite-only sign-up

After the first admin exists, new accounts arrive only by invitation. An admin sends an invite (email + role); the invitee follows a one-time link to finish sign-up and gets the invited role. Invites expire, and the invite link is stored hashed, so a database dump never reveals a usable link.

There's no public sign-up form. The only people with accounts are the people you invited.

Two-factor authentication (TOTP)

Two-factor uses a standard time-based one-time password (TOTP) from any authenticator app. Set it up under Account → Security:

  1. Confirm your password.
  2. Scan the QR code (or copy the secret) into your authenticator.
  3. Save your recovery codes (download or copy). They're shown once.
  4. Enter a current code to turn on two-factor.

Recovery codes are not optional

Each recovery code works once if you lose your authenticator. Save them somewhere safe the moment they appear — they're not shown again. Both the TOTP secret and the codes are encrypted at rest.

Password reset

If SMTP is configured, a password reset arrives as a time-limited email link. Email is fine for reset because it isn't the sign-in path — your password + TOTP always work, mail or no mail. If email is down, an admin can re-invite you.

Sessions

Account → Sessions lists every active session — its device, address, and start time — with a Revoke action on each. Revoke the session you're using and you're signed out and sent to the login page; revoke another and it simply drops. Every revoke is recorded in the audit log.

On this page